STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Arista MLS EOS 4.2x Router Security Technical Implementation Guide

V-256023

CAT II (Medium)

The out-of-band management (OOBM) Arista gateway router must be configured to forward only authorized management traffic to the Network Operations Center (NOC).

Rule ID

SV-256023r882411_rule

STIG

Arista MLS EOS 4.2x Router Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001097

Discussion

The OOBM network is an IP network used exclusively for the transport of OAM&P data from the network being managed to the OSS components located at the NOC. Its design provides connectivity to each managed network device, enabling network management traffic to flow between the managed network elements and the NOC. This allows the use of paths separate from those used by the managed network.

Check Content

This requirement is not applicable for the DODIN backbone.

Review the network topology diagram to determine connectivity between the managed network and the NOC.

Review the OOBM gateway router configuration to validate the path that the management traffic traverses.

Step 1: To verify only management traffic is forwarded through the OOBM interface or IPsec tunnel, execute the command "sh ip access-list".

ip access-list OOBM_to_MGMT
   10 permit tcp 10.10.10.0/24 host 10.20.10.1 eq ssh telnet
   20 permit ip 10.10.10.0/24 192.168.10.0/24 
   30 permit udp 10.20.20.0/24 any eq bootps snmp

Step 2: To verify the ACL is applied outbound on the OOBM interface, execute the command "sh run int Eth YY".

interface ethernet 1
  description OOBM to MGMT link
  ip access-group OOBM_to_MGMT out

If traffic other than authorized management traffic is permitted through the OOBM interface or IPsec tunnel, this is a finding.

Fix Text

This requirement is not applicable for the DODIN backbone.

Configure filters based on port, source IP address, and destination IP address to permit only authorized management traffic into IPsec tunnels or the OOBM interface used for forwarding management data.

Step 1: To configure an ACL to allow only management traffic to be forwarded through the OOBM interface or IPsec tunnel, execute the command "sh ip access-list".

ip access-list OOBM_to_MGMT
   10 permit tcp 10.10.10.0/24 host 10.20.10.1 eq ssh
   20 permit ip 10.10.10.0/24 192.168.10.0/24 
   30 permit udp 10.20.20.0/24 any eq bootps snmp

Step 2: To apply the ACL outbound on the OOBM interface, execute the command "sh run int Eth YY".

interface ethernet 1
  description OOBM to MGMT link
  ip access-group OOBM_to_MGMT out